Iranians faced mass man-in-the-middle on August 28

On 28 August Iranian citizens were subject to a far reaching cyber snooping operation made possible by an attack on Dutch certificate authority DigiNotar.

Researchers at vendor Trend Micro on Monday backed up earlier claims by Google that Iranian internet users were the main target of “man-in-the-middle” attacks after DigiNotar issued a fraudulent Google.com certificate.

The Dutch Government revealed on Saturday that a total of 531 fraudulent certificates were issued by DigiNotar compared to the “few dozen” the now blacklisted certificate authority (CA) originally claimed.

While there remains some doubt over whether the Iranian Government was really behind the attacks, there was no doubt that Iranian citizens were the primary targets in the days leading to DigiNotar’s disclosure, according to Trend Micro researcher Feike Hacquebord.

Hacquebord analysed the domain “validation.diginotar.nl”, a site typically used by browsers in Holland to check the authenticity of DigiNotar-issued SSL certificates.

The site recorded a huge spike in traffic from Iran on 28 August, which all but disappeared by August 30, the day after Google, Microsoft and Mozilla blacklisted the majority of the firm’s certificates.

“These aggregated statistics from Trend Micro Smart Protection Network clearly indicates that Iranian Internet users were exposed to a large scale man-in-the-middle attack, where SSL encrypted traffic can be decrypted by a third party,” he said.

Security and privacy researcher Christopher Soghoian believed the trigger for Iran’s attack on a foreign CA was Google’s decision in 2010 to make Gmail HTTPS by default.

“Google turned on HTTPS by default for Gmail. Iran gov could no longer sniff the wire. Iran has no domestic CAs, so it hacked foreign CAs,” he said in a Twitter post Monday.

DigiNotar also revealed it had invited Dutch security firm FOX-IT to report on incident as part of its bid to regain community trust. It has since urged Iranians to take precautions.

“It is possible that the results of the hack are used for internal Iranian politic activities in order to thwart the local democratic movements,” it said.

Upon reading the report, Mozilla developer Gervase Markham urged all Iranians to update their browsers, invalidate any captured cookies by logging out of back into every active email and social media service, and change passwords.

The fraudulent certificates would have been highly prized by Iranian authorities due to all web traffic being routed through government approved proxy servers, according to fellow Trend Micro researcher Rik Ferguson.

“In Iran, all web traffic must pass through state approved proxies, the perfect man in the middle. In this scenario, the “benefits” of owning fraudulent certificates are clear. All encrypted traffic for affected destinations can now be decrypted at will and the end-user will be entirely unaware.”

Separately, Microsoft has warned that Internet Explorer users on Windows Vista or later who used a DigiNotar certificate before August 29, could be vulnerable until September 5 because the browser may have cached DigiNotar as a trusted root CA.

Kaspersky Lab researcher Roel Schouwenberg believed the attack had much larger implications than Stuxnet, the virus believed to have been devised to destroy key parts of Iran’s nuclear program.

“The attack on Diginotar doesn't rival Stuxnet in terms of sophistication or coordination. However, the consequences of the attack on Diginotar will far outweigh those of Stuxnet. The attack on Diginotar will put cyberwar on or near the top of the political agenda of Western governments,” he said.

Latest Videos

​Email fraud is nothing new, but online criminals have become ever more-effective at spoofing their identities to trick employees into sending them money. The Australian Centre for Cyber Security (ACSC) recorded losses of over $20M to business email compromise (BEC) attacks last year alone, up 230 percent over the previous year – and the full amount is certain to be much larger.​

No matter how robust your security, or how diligent your employees, network credentials are a free pass for cybercriminals. This is mostly because employees are relied upon for their own password management. And with more than 4.8 billion sets of stolen credentials said to be available online, odds are that at least a few of your employees’ user IDs and passwords are just waiting to be used by unscrupulous outsiders. Are you ready to stop them?

Cyber resilience will be particularly important as Australian organisations face increased pressure to quickly detect, respond to, and manage the repercussions of breaches in the wake of 2018’s Notifiable Data Breaches (NDB) scheme.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.